Skip to content
Talk to our solutions team

Identity & Access (IAM)

The platform has a full identity and access-management model: who a principal is (authentication), what they’re allowed to do (authorization), and which data they can see (row- and field-level access control). It runs as a backend service (iam.svc, installed via kvm install iam.svc) and is configured declaratively as kis spec YAML definitions, so you author, validate, and lint your IAM config the same way you do entities.

Authentication: how a principal proves who they are

Section titled “Authentication: how a principal proves who they are”

Interactively, you authenticate the CLI with kis login (classic or magic-link), stored under a named context. The platform itself models authentication with these kinds:

KindWhat it represents
Provider / ProvidersAn authentication provider configuration
ProviderTypeThe provider types available
ProviderAuthTypeWhether a provider is delegate or managed
Realm / RealmsA user group with its own auth methods, realms separate employees, customers, partners
RealmProviderAn auth provider bound to a realm
MFAMethodAvailable multi-factor methods

Realms are the key idea: they partition kinds of users (employees vs. customers vs. partners), each with their own providers and methods, so one platform can authenticate very different audiences without mixing them.

KindWhat it represents
UserA user / principal in the system
UserTypeThe types of principals in the IAM system
UserTypePrefixMaps user types to their ID prefixes
ServiceAccountA service principal (non-human / machine identity)

This is the policy layer, roles, permissions, and the rules that evaluate them.

KindWhat it represents
AuthorizationTop-level container for authorization config
AuthzTypeThe authorization model type in use
RoleA role in RBAC (role-based access control)
PermissionA permission grant
Policy / PolicyLanguageAn authorization policy and its language
ActionCommon authorization actions
ConditionA condition within a policy
OPAConfigOpen Policy Agent delegation configuration
CheckConfigA condition check

Beyond “can you call this action,” the platform controls which rows and fields a principal sees, enforced down at the data layer.

KindWhat it represents
AccessEntity-level access-control configuration
AccessActionsThe actions a user can perform: create, read, update, delete, purge, unmask
AccessRule / AccessRuleLanguageAn access-control rule and its language
FieldAccessRuleField-level access control
RowLevelSecurityRow-level access control
QueryHash / QueryHashesA named SQL query that itself carries access control
Compliance / ComplianceTypePer-field compliance settings (e.g. masking sensitive fields)

The CPET identity (customer:product:environment:tenant)

Section titled “The CPET identity (customer:product:environment:tenant)”

Several commands scope work to a four-part identity the platform calls CPET, customer, product, environment, tenant. It’s stated explicitly in kis script run’s --cpet flag (“CPET identity, comma-separated: customer,product,environment,tenant”).

The same four-segment shape appears as the default --schema on the entity commands (write-entity / read-entity): system:system:system:system. Read it as customer:product:environment:tenant, each defaulting to system. This is how a record write is scoped to the right customer/product/environment/tenant, and it ties back to a datastore’s tenancy mode.

Terminal window
# A script carrying an explicit CPET identity
kis script run rules.js --cpet acme,billing,prod,tenant-42
# An entity write scoped to a CPET (colon-separated --schema)
kis write-entity -d entities/faq.yaml -p dbpool.yaml -f rec.json \
--schema acme:billing:prod:tenant-42

IAM definitions are kis spec kinds, the same author → validate → lint loop as any platform definition:

Terminal window
kis spec list | grep -iE 'access|auth|role|policy|user|realm|provider' # the IAM kinds
kis spec new policy my-policy # scaffold a definition
kis spec validate authz/ # validate your IAM YAML
kis spec generate jsonschema --kind Policy --output ./schemas # full JSON Schema